DNS-over-HTTPS has gained a lot of traction as tech giants begin to roll out their plans for encrypting DNS traffic. But not everybody is happy with the changes
What is DNS-over-HTTPS?
DNS-over-HTTPS is an enhanced privacy protocol for the internet’s naming system that’s aimed at creating a safer browsing experience for all users.
Microsoft recently became the latest tech player to announce that it would be implementing DNS-over-HTTPS – also known as ‘DoH’ – to improve the privacy and reliability of internet traffic for Windows users by supporting encrypted DNS queries.
The move, which joins earlier initiatives taken by both Mozilla and Google, will “close one of the last remaining plain-text domain name transmissions in common web traffic”, Microsoft said.
DoH, which has generally been welcomed by the tech community, will prevent certain security and privacy lapses inherent in how the web currently functions, such as ISP tracking and DNS spoofing. But it also entails some concerns.
What’s wrong with DNS?
The Domain Name System (DNS) has been around for more than three decades, helping to turn internet domain names into IP addresses and direct clients to servers. The DNS, however, suffers from some fundamental flaws.
DNS traffic is unencrypted. This means that every node that relays a DNS request can see its contents, including the domain name of the destined server, and part of the IP address of the client.
Internet service providers (ISPs), governments, and other third parties can leverage the flaws in DNS to monitor users’ browsing habits for surveillance, censorship, or even financial gains.
The protocol is also prone to spoofing, where a malicious router can intercept and modify the content of the DNS request or response.
How does DNS-over-HTTPS work?
DNS-over-HTTPS – first proposed as a standard in October 2018 – enhances the privacy of the DNS naming protocol by adding a layer of encryption to DNS packages.
Two things are needed for DoH to happen: a DoH-enabled application (e.g. a browser) and a server that supports encrypted DNS.
When the app makes the DNS request, it is enclosed in encrypted HTTPS packets and sent to the DoH server – called a DoH resolver – which processes the request and sends the encrypted response to the app.
By encrypting DNS requests, DoH prevents communication gatekeepers and eavesdroppers from accessing the information. In other words, anyone who monitors DoH traffic won’t be able to tell the difference between a DNS request and other HTTPS traffic.
To further improve privacy, the DoH resolver also minimizes the information it exchanges with servers when processing the DNS request.
For instance, it modifies the client IP address included in the request to hide the user’s identity, and sends partial domain names to other DNS servers to avoid revealing the entire requested domain.
Who’s doing DNS-over-HTTPS?
Firefox DNS-over-HTTPS
Mozilla was the first organization to adopt DoH in partnership with Cloudflare, and has integrated DoH support for the Firefox browser since version 62.
When users enable DoH on Firefox, the browser will process all DNS requests through the Cloudflare DNS-over-HTTPS resolver instead of the default DNS resolver specified by the device’s network settings.
Cloudflare has committed to throw away personally identifiable data after 24 hours and to never pass user data onto third parties. Mozilla announced in July that it will not enable DoH by default for UK users.
“We are currently focusing on making DoH available by default to our users in the United States,” a Mozilla spokesperson told The Daily Swig.
“At the same time, we’re speaking with different stakeholders and exploring potential DoH partners in other regions to bring this important security feature to users there as well.”
In February 2020, DNS over HTTPS became the default option for Firefox users in the United States.
Chrome DNS-over-HTTPS
Google is also testing DNS-over-HTTPS on the Chrome browser and will enable it by default for 1% of users starting in Chrome 79, scheduled for release on December 10, 2019.
Google’s DoH implementation is slightly different from Mozilla’s in that it will not override the system’s network settings.
According to Google, if the device’s current DNS resolver supports DoH, Chrome will switch to encrypted DNS. If not, it will default to standard non-encrypted DNS requests.
Microsoft will be implementing DoH at the operating system level, which means it will encrypt DNS request from all apps.
Like Google, Microsoft will not override the system’s network settings and will only switch to DoH if the current DNS resolver supports it.
On the server side, BIND added native support for DoH in February 2021.
What are the controversies and concerns surrounding DNS-over-HTTPS?
DoH has drawn criticism from a slate of organizations that have a vested interest in looking into users’ DNS data.
ISPs in the US, for example, have led lobbying efforts against the implementation of DNS-over-HTTPS (PDF), citing decreased internet usability as one of the problems with the proposed resolution.
Google’s rollout of DoH on Chrome has also come under specific criticism, with ISPs saying that it would centralize a majority of worldwide DNS data with Google.
Google has rejected these antitrust claims and clarified that it has no plans to centralize or change people’s DNS providers to Google by default.
Read more of the latest security deep dives from The Daily Swig
On the other side of the pond, the UK’s Internet Service Providers Association (ISPA) recently nominated Mozilla as the leading ‘internet villain’ of 2019 for “their proposed approach to introduce DNS-over-HTTPS in such a way as to bypass UK filtering obligations and parental controls, undermining internet safety standards in the UK.”
The ISPA revoked the nomination after it faced a backlash over the decision.
“We have consistently argued that our concerns around DoH lie with how it is being implemented,” Till Sommer, head of policy at ISPA, told The Daily Swig.
“DoH can offer privacy benefits but, if implemented without local systems, rules and regulations in mind, there are real risks to enterprise security, cybersecurity, data protection and online safety.”
GCHQ, one of the UK’s intelligence services, has said that encrypting DNS traffic could have unintended consequences for police investigations.
Concerns around DoH are not well-founded, a Mozilla spokesperson told The Daily Swig, adding that many privacy and digital rights organizations, such as the Electronic Frontier Foundation and The Center for Democracy and Technology, have voiced their support for the protocol.
YOU MIGHT ALSO LIKE Declassified: GCHQ celebrates 100 years of secrets well kept